ramnit | 377031a94559fef772cda1593232a3b2c7fa6ac7ec57dc44a37cacef3cfa2c06

Analysis

max time kernel
104s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Size

1.9MB
MD5

11440d40b4dcfc3cf8383f9097433bb8
SHA1

f0f69363ebceee5c5945f44867ab7feb7ea2f57b
SHA256

377031a94559fef772cda1593232a3b2c7fa6ac7ec57dc44a37cacef3cfa2c06
SHA512

36c10cdcd318638aab437a4bdd9e3088d5194dea1359786a960f1d595727f734349104c02cd5fab5258d95591a990ef9e1ec113958e1c81f27eff020b1f1feeb
SSDEEP

24576:87ZGy9+Acpjdv+K3eqA6dj6YU1s20UPxXMP2Wk4AX:+/Sp5AyAXtWk1

Score

10^/10

ramnit banker discovery spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\Rockey4.sys	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
File created	C:\Windows\SysWOW64\drivers\Rockey4USB.sys	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\5E817A545D4EA57DC0674E4DF10489CDC055BDBC\Blob = 0300000001000000140000005e817a545d4ea57dc0674e4df10489cdc055bdbc040000000100000010000000dfe2df6da86d621ea59420e7254f41f019000000010000001000000024ff13c7090a51aa0043231473a8b16f140000000100000014000000604cd9d7712845eb7bcf699134f013bfad4971e40f0000000100000014000000aa9ff6979bf3e3d4d898267e9d2a449748f731c52000000001000000840500003082058030820468a00302010202107410e66950047fb99a072d507e990d73300d06092a864886f70d01010505003081b4310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313b3039060355040b13325465726d73206f66207573652061742068747470733a2f2f7777772e766572697369676e2e636f6d2f727061202863293130312e302c06035504031325566572695369676e20436c617373203320436f6465205369676e696e672032303130204341301e170d3133303332353030303030305a170d3134303632343233353935395a3081c3310b300906035504061302434e3110300e060355040813074265696a696e673110300e060355040713074265696a696e6731273025060355040a141e4665697469616e20546563686e6f6c6f6769657320436f2e2c204c74642e313e303c060355040b13354469676974616c20494420436c6173732033202d204d6963726f736f667420536f6674776172652056616c69646174696f6e207632312730250603550403141e4665697469616e20546563686e6f6c6f6769657320436f2e2c204c74642e30820122300d06092a864886f70d01010105000382010f003082010a02820101008b24a9235419cc23c769130de5d8d6dff1f5111ea0c6ad1cf6e89b3fa66ca26f36d71e95bf53a33c21bcbb2eb93f3d045cc45f505ae58ae7c0eb3e99972990fa6e8e90068555d052185b8fa140ebd154f44d7c92d6bb77737e60a8f486154337dc9f6869a8707355306ddf45cd8077d2ec1d489327850ec9ca9744cfa27e8c6c31f722dbaf835ebda593ad94e027e892dc88e0e96fa409af952457278a475496175ed43b405df6338d5512e5636174b96f8af61f8bf4744d98e8079a8fd503c92c67d5e398503891a5a30af4647c2399a79ac6570000a298ca7d9ea62918b24ab7f751b5bcf5513a66b05ad179bbb026d31813d2b47ad0d6b6febf2006db3f110203010001a382017b3082017730090603551d1304023000300e0603551d0f0101ff04040302078030400603551d1f043930373035a033a031862f687474703a2f2f637363332d323031302d63726c2e766572697369676e2e636f6d2f435343332d323031302e63726c30440603551d20043d303b3039060b6086480186f84501071703302a302806082b06010505070201161c68747470733a2f2f7777772e766572697369676e2e636f6d2f72706130130603551d25040c300a06082b06010505070303307106082b0601050507010104653063302406082b060105050730018618687474703a2f2f6f6373702e766572697369676e2e636f6d303b06082b06010505073002862f687474703a2f2f637363332d323031302d6169612e766572697369676e2e636f6d2f435343332d323031302e636572301f0603551d23041830168014cf99a9ea7b26f44bc98e8fd7f00526efe3d2a79d301106096086480186f84201010404030204103016060a2b06010401823702011b040830060101000101ff300d06092a864886f70d01010505000382010100bcb1d8e3538bc8d64526ed2c191fecb0f310db585de6f0d93b4f47085c41b71b4da3bc7687027aad0c5b4f19ae70348dc4d846ba9cda5dd1dea62ea530e31446f215a8658893590c40311ea78ade96e06940677f3682d9481184aee839c5695c4ea2e5c178d449f14392364ac431de64a2e5df71741df1ca4cc7bbf3024a7121cb18008c5d1c79c6b1611fb336463f683ab9b6e3e5b747def34897e59c484263e77b4f0a9d36654b20aabefefbdd7784789656cf0d9d7a3fde2072bdfde43af1240ff369841ca58fb591a9f9773c547bff724c643f581f4e63002e743efd100fff2339a4392bbf1c9f5135923f24104e76292d2a5f99c9afa3f30de1f5a40227	DrvInst.exe

Executes dropped EXE 2 IoCs

pid	Process
1572	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthysSrv.exe
1012	DesktopLayer.exe

Loads dropped DLL 1 IoCs

pid	Process
404	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe

Drops file in System32 directory 25 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\InstDll.dll	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{77d0a9e3-7ad0-4841-908f-b17dc318b41c}\SETD467.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{77d0a9e3-7ad0-4841-908f-b17dc318b41c}\SETD477.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{77d0a9e3-7ad0-4841-908f-b17dc318b41c}\SETD477.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{77d0a9e3-7ad0-4841-908f-b17dc318b41c}\SETD478.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{77d0a9e3-7ad0-4841-908f-b17dc318b41c}\SETD48A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rockey4.inf_amd64_634c4492dc802a31\Rockey4.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rockey4.inf_amd64_634c4492dc802a31\Ry4CoInst.dll	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{77d0a9e3-7ad0-4841-908f-b17dc318b41c}\SETD467.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{77d0a9e3-7ad0-4841-908f-b17dc318b41c}\Rockey4.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{77d0a9e3-7ad0-4841-908f-b17dc318b41c}\SETD48A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rockey4.inf_amd64_634c4492dc802a31\Rockey4.cat	DrvInst.exe
File created	C:\Windows\SysWOW64\Ry4CoInst.dll	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{77d0a9e3-7ad0-4841-908f-b17dc318b41c}\SETD478.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{77d0a9e3-7ad0-4841-908f-b17dc318b41c}\SETD479.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{77d0a9e3-7ad0-4841-908f-b17dc318b41c}\SETD479.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{77d0a9e3-7ad0-4841-908f-b17dc318b41c}\Ry4CoInst.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rockey4.inf_amd64_634c4492dc802a31\Rockey4USB.sys	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\rockey4.inf_amd64_634c4492dc802a31\Rockey4.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{77d0a9e3-7ad0-4841-908f-b17dc318b41c}\Rockey4.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{77d0a9e3-7ad0-4841-908f-b17dc318b41c}\Rockey4.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{77d0a9e3-7ad0-4841-908f-b17dc318b41c}\Rockey4USB.sys	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{77d0a9e3-7ad0-4841-908f-b17dc318b41c}	DrvInst.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1572-4-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/files/0x00050000000227cb-3.dat	upx
behavioral2/memory/1572-10-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/1012-19-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral2/memory/1012-21-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthysSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthysSrv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px7000.tmp	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthysSrv.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\INF\oem3.inf	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthysSrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Checks SCSI registry key(s) 3 TTPs 38 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe

Modifies Internet Explorer settings 1 TTPs 20 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{8C8A336E-0764-11F0-A1E4-42B680C18F56} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-814918696-1585701690-3140955116-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "449443863"	iexplore.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1012	DesktopLayer.exe
1012	DesktopLayer.exe
1012	DesktopLayer.exe
1012	DesktopLayer.exe
1012	DesktopLayer.exe
1012	DesktopLayer.exe
1012	DesktopLayer.exe
1012	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeAuditPrivilege	5796	svchost.exe
Token: SeSecurityPrivilege	5796	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5660	iexplore.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
404	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
404	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
404	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
5660	iexplore.exe
5660	iexplore.exe
4540	IEXPLORE.EXE
4540	IEXPLORE.EXE
4540	IEXPLORE.EXE
4540	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 1572	404	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe	84
PID 404 wrote to memory of 1572	404	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe	84
PID 404 wrote to memory of 1572	404	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe	84
PID 1572 wrote to memory of 1012	1572	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthysSrv.exe	85
PID 1572 wrote to memory of 1012	1572	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthysSrv.exe	85
PID 1572 wrote to memory of 1012	1572	2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthysSrv.exe	85
PID 1012 wrote to memory of 5660	1012	DesktopLayer.exe	86
PID 1012 wrote to memory of 5660	1012	DesktopLayer.exe	86
PID 5660 wrote to memory of 4540	5660	iexplore.exe	87
PID 5660 wrote to memory of 4540	5660	iexplore.exe	87
PID 5660 wrote to memory of 4540	5660	iexplore.exe	87
PID 5796 wrote to memory of 4500	5796	svchost.exe	100
PID 5796 wrote to memory of 4500	5796	svchost.exe	100
PID 4500 wrote to memory of 3268	4500	DrvInst.exe	101
PID 4500 wrote to memory of 3268	4500	DrvInst.exe	101

C:\Users\Admin\AppData\Local\Temp\2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthys.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:404
- C:\Users\Admin\AppData\Local\Temp\2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthysSrv.exe
  C:\Users\Admin\AppData\Local\Temp\2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthysSrv.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:5660
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:5660 CREDAT:17410 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:4540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5796
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{08eda411-1f88-644d-ad89-069304ee49d0}\Rockey4.inf" "9" "4281a14cb" "0000000000000138" "WinSta0\Default" "0000000000000150" "208" "C:\Windows\Temp"
  2⤵
  - Manipulates Digital Signatures
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{f028d511-be72-324a-a31a-74d8ea8b3d2e} Global\{a61b6066-5c08-8247-9615-878915549820} C:\Windows\System32\DriverStore\Temp\{77d0a9e3-7ad0-4841-908f-b17dc318b41c}\Rockey4.inf C:\Windows\System32\DriverStore\Temp\{77d0a9e3-7ad0-4841-908f-b17dc318b41c}\Rockey4.cat
    3⤵
    PID:3268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
01fa3211165ca3e0dbd816e5389630bf

SHA1
2a6569707c8ea29cbf996a906855470bb7831f48

SHA256
ab165a9a5b25e6c05f6f2eac77c9dcc9b4157897524a0be4415cdae9cef5636f

SHA512
1848c476ebf00781299715f7c664465a071fa54e3bc14002df35a74aa27667788956bddc4b96b241ea2865f819cf5e33ed7907504a99342c2a0379a0964550ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
bb5ab3850e2fa2f5c0b92e8b87ddf1f8

SHA1
d0911d17d6da37c2ce8f00688fd5703b47b13068

SHA256
1a55e990fda31429f51561588d87fa00d8d0436d5a3a370f5c939f520c661b69

SHA512
529398574099ef6f57e8f9833df2076aa1b05f3b8d78d7401f16a21dc9332f4ef824343392256a4eb469013d99aad9ba16f55001fef593ff9e4e3c37c79564c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OMQG84ST\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\2025-03-22_11440d40b4dcfc3cf8383f9097433bb8_amadey_icedid_ramnit_rhadamanthysSrv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
C:\Windows\SysWOW64\InstDll.dll

Filesize
412KB

MD5
28777af4daf84f9ad4145f7105e02477

SHA1
f2100f4812007a253134d4e134e6208a78263a2c

SHA256
7e0f6280add4c6000d6bf548402e849b83047b960ad89be067ae87e4dc103b77

SHA512
543e81509693ed6b75f9dbce536ab15f1bcac5f1fc71646b53ac2bafd2af5859add9acf21b247719e2cf6d2974c3c8552a1fb2f13d3f3be428099fc62e62dcad

Download Submit
C:\Windows\Temp\Rockey4.inf

Filesize
3KB

MD5
3ce2e5aeef01fa93d94868953406856b

SHA1
10d56292d022f39d8ceefded624f8522f5bdccfd

SHA256
8cf87f05e75dd558eac842ea3eeda9cafe675d4c6d1eaa211c403b7de2e599cb

SHA512
ffeb48efa4254d11d398eb6197ec1a8c0ae398d0bd3dd1cd7d3f66fd8f8e252e726b8adcf651c6e2f2bd9a78023151ca2103349bb63f788aef306010f6f983fc

Download Submit
C:\Windows\Temp\Rockey4.sys

Filesize
29KB

MD5
6b9b088f4921b5114f7916a1cfa90f51

SHA1
be3d21cf1a9eae23ff0464f2ee19d60891ba8777

SHA256
a3fbfe4c4c5195524107d1127e8165d53319f306e07647022a6557750f0b2c29

SHA512
961c9e56bb62098989d55a951da4b05db56d15ca26ca85f9413139f24ae3624056c33d16d711819f1cac97469fa456578fedcd30dde773d87523a29cb337a98d

Download Submit
C:\Windows\Temp\Rockey4USB.sys

Filesize
20KB

MD5
a215e31da7fc0369e315132303582b5b

SHA1
3dbb87e75c01ad93845a6c90602bdcd49f5e1882

SHA256
a55c1b52240efb612b0771f35797f2aa68b249be7f7da930a0ee5d8212c7f7a7

SHA512
c5d132725c3f41357b517341a28220cf205cba4c49376908b03e8780c6c456db70724f48b3ce89f90edb9e865308a607a41db0571e8e871c503e0ff251ce76a2

Download Submit
C:\Windows\Temp\Ry4CoInst.dll

Filesize
6KB

MD5
5d1e774106c240e330e7384f8bd2835c

SHA1
0e6bfc62067d52540eb84852eb1e160fb646e4d5

SHA256
fab2055534c54c8c8d3df3065a481fb8b2d1bc052c29ac500634ba63f32fea09

SHA512
48c4d2ac25e8e3f128201cc0503de7cdb952ad849fe760c112bf32ff0e9df96da16fa356ab99f64cb45eb3a4314fc3bfdc852e06a1263c4cd681c7b42b9df578

Download Submit
C:\Windows\Temp\rockey4.cat

Filesize
9KB

MD5
f5e17a72ecbe8f0556423e796124f785

SHA1
60b887c365c0541e0aa1518ac687bc3eb7e60a4c

SHA256
d0e390cbe3a1313d0b4348bfdc9da947616fc7dda4ecc414468b5f2151f5b60f

SHA512
4f85087d92b2b6494cb2a1d281c34bb72fa6bd9f31d3369aa9729ba12d320618836f2d25dc92dcec18b1c9cfa0f3977bff809d179a988ddacaf67acfe06ea9c4

Download Submit
memory/404-0-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/404-22-0x0000000000400000-0x00000000005F5000-memory.dmp

Filesize
2.0MB

Download
memory/1012-18-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/1012-21-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1012-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1572-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1572-6-0x0000000000590000-0x000000000059F000-memory.dmp

Filesize
60KB

Download
memory/1572-4-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download